Programming Languages Impacted by Deserialization Issues

26 Oct Programming Languages Impacted by Deserialization Issues

Anyone who is involved with the programming world knows that deserialization issues have become an increasing problem in the past few years. The first few languages that were impacted included the likes of Java and PHP, but it appears that Ruby and .NET are also in the crosshairs.

Serialization and Deserialization

The issue of deserialization first started with the Java programming language in 2016, causing damage to many of the applications that ran on this language. And it is proving a problem for .NET and Ruby applications in 2018.

But what is the issue? It involves serialization, which is the process of converting data objects into binary formats. This conversion is necessary, as it allows for the information to be sent over the network, stored on databases or sent to disks.

And deserialization is the opposite process, where you are taking the binary format and you are converting it back into the data object structure that it was originally created as. Such a process is vital for the use of applications based on programming languages.

Serious Deserialization Problems

Many security researchers discovered that because of issues within the serializing and deserializing processes, it was possible for applications to be tricked into running malicious commands and codes. And this could cause havoc in many automated operations and application processes.

The issue first became noticed by two researchers in 2015, who were able to discover a serious flaw in Apache Commons Collection. That is a very famous library based on Java, which was the target of the exploit. The researchers found that it was possible for them to take over many Java servers using the exploit, such as JBoss, OpenNMS and WebSphere.

Not Just a Java Problem

There was a time when experts had believed the issue may only impact Java. But that was soon proven as false, with .NET and PHP also impacted. The vulnerability in these two languages was discovered in 2017.

Ruby Falls Too

One of the final programming languages to fall to this issue is Ruby. An Australian IT firm elttam discovered that it is possible to commit serialization and deserialization attacks on Ruby-based applications.

Not only do these researchers show the results of what they did, but they publish the code that shows how it is done. This is done not to harm applications, but to indicate the problem so that it can be solved.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

disable

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.